The mandatory use of MFA will be introduced for all Google Cloud customers in 2025, describing the introduction as a “critical step” for users to protect their cloud environments from unauthorised access.
Subscribe today for free
“There is broad 2-Step Verification (2SV) adoption by users across all Google services. However, given the sensitive nature of cloud deployments — and with phishing and stolen credentials remaining a top attack vector observed by our Mandiant Threat Intelligence team,” Mayank Upadhyay, VP of engineering and a distinguished engineer at Google Cloud wrote in a blog post. “We believe it’s time to require 2SV for all users of Google Cloud.”
Multi-factor authentication is designed to be a more secure way for users to sign into platforms. Using a multi-step login process, users are required to enter information beyond simply a password.
For example, users might be asked to enter a code sent to their email, an answer to a secret question, or potentially biometric information, like a fingerprint or facial recognition.
Google Cloud is now making MFA mandatory for its millions of users, though the provider wants to introduce the measure in a staggered way to “ensure a smooth transition.”
The switch to MFA will span three stages. The first, starting November 2024 aims to encourage MFA adoption. Then, from “early 2025”, MFA will be required for password logins. By the end of 2025, the third phase, MFA will be extended to all users who federate authentication into Google Cloud.
Enterprise customers and users will receive advance notification of the change ahead of their transition to ensure their switch is seamless.
“At Google, we understand that you need flexibility and control when implementing new security measures,” Upadhyay wrote. “We will be working closely with identity providers to ensure there are standards in place for a smooth hand-off.”
Ed Russell, CISO business manager at Qodea described Google Cloud's move to mandatory MFA as a welcome move.
"Passwords alone no longer provide enough protection for sensitive data, and MFA introduces additional verification steps to guard against cyber breaches," Russell said. "Mandatory MFA will likely follow suit as it directly impacts employees' daily access to platforms and applications.
"Organisations must therefore carefully plan their MFA transition and provide staff with dedicated training to ensure a smooth transition," Russell said. "Now is the time for organisations to get ahead of the upcoming changes and dedicate either internal resources or external partners to achieving total MFA compliance.”
RELATED STORIES
Cloud group defends autonomy after Microsoft claims it's bankrolled by Google
Google Cloud Summit keynote: Security, openness, and AI innovation
Google Cloud partners with Salesforce to launch autonomous AI agents